Security – is the Internet of Things ready for the next big one?
The big question this week is whether or not the world can secure its Internet of Things devices in time for the next attack, after last Friday’s attack, which left many in the tech industry reeling.
I know a lot of talk has gone around about who might have been responsible for it as well but that is truly the wrong question at this point because it is the least important right now.
The attack that disabled websites across much of the continental US and Europe last week was what is known as a DDoS attack.
Dyn, who happens to be a very a major provider of internet infrastructure, was swarmed by data requests from a network of hijacked devices. Normally it’s machines but, in this case it turned out to be connected devices.
It has been reported that last Friday’s attack appears to have been caused by hijacked DVRs and web-enabled cameras. As it turned out many of the DVR’s and web-enabled cameras contained circuit boards and software manufactured by the Chinese tech firm Hangzhou Xiongmai.
The firm is well known for selling completely insecure cameras and DVR’s, not to mention as we now know, many have been hacked and placed into botnets such as the Mirai botnet where they participate in DDoS attacks.
Many of the used devices are in fact infected by Mirai.
Hangzhou Xiongmia initially shot out that it was the fault of end users who failed to change passwords…Hangzhou Xiongmia did end up recalling something like 4.3 million circuit boards used in cameras.
By the way, it is rumored that over half a million IoT devices are already infected Mirai IoT malware.
Mirai was built for 2 core purposes:
- Locate and compromise IoT devices to further grow the botnet.
- Launch DDoS attacks based on instructions received from a remote C&C.
What’s really interesting about Mirai was that it was hardcoded with an avoid list. That’s right, a list of IP’s it is to avoid infecting. The list includes the USPS, the Department of Defense, HP, GE, The Internet Assigned Numbers Authority…
That list is pretty intriguing to say the least. I can see some of the groups to avoid on the list but the USPS? No offense to the USPS, but why?
It’s left some speculating that the code’s author (s) were concerned with being exposed while others have speculated that list indicates the author (s) learned the art of coding from a Wiki page or from popular media which makes some think the author (s) are not pros.
Which is irrelevant at this stage because Mirai is doing it’s job quite nicely.
Mirai also comes equipped with an added bonus which leaves users who are trying to remove it pretty frustrated.
- Help Mirai maximize the attack potential of the botnet devices.
- Prevent similar removal attempts from other malware.
If you have had a chance to look at any of the code for Mirai you might have noticed that part of the code appears to be in Russian which leads many to believe that the author or some of the authors are in fact Russian hackers or hackers who are originally from Russia.
Still the question at the end of the day is pretty simple:
The real issue we face here is, with so many IoT devices that are already in homes and offices how can we secure them now?
People don’t normally think about securing a coffee maker when they buy it. The expectation is more or less that it is sold already secured, but what if it wasn’t?
The answer is, most don’t know and they don’t know how to begin testing for it.
I like ShieldsUP!
Before doing that I would make sure to Disable all remote (WAN) access to your devices. To verify that your device is not open to remote access.
Then you need to to scan the following ports: SSH (22), Telnet (23) and HTTP/HTTPS (80/443).
You will want to look for a status of “Stealth” which means that your port is secure.
You will also need to test your router which is no easy task for most. You can read information on that at routersecurity.org.
To be honest however, for most average everyday consumers, this can be very overwhelming so moving forward we need to be thinking of answers that fall in line with how consumers think.
They don’t think like tech experts or tech laymen, they think like consumers.
Some are calling for the Government to regulate IoT security, which is a fine idea but in the meantime…
With so many devices already exposed or at risk.
Some thought to the idea or notion that a fix that is pushed out to devices might be in order.
Cristal M Clark